Docker and IPtables Firewall Merger
The problem: Modifying firewall rules on a host that runs Docker or Rancher (cattle) causes the docker-bridges and rancher NAT rules to be blown away, causing all your containers networking to break.
The solution: Modify /etc/sysconfig/iptables as normal and instead of running iptables-restore /etc/sysconfig/iptables run as root: dockerFirewallMerge.py
I’d appreciate some constructive feedback! https://github.com/c … /DockerFirewallMerge
Squid HTTPS interception and filtering without client certificates
I had a requirement to filter (all) web traffic on a few servers. This is typically easy with Squid and using it’s transparent proxy function. Where it gets difficult is filtering domains for HTTPS traffic.
I don’t want to SSL intercept the traffic, I don’t want to install CA certificates on the clients, I only want to filter the URLs based on a whitelist to which it can access. This is how it is done:
yum install squid # I used squid 3.5.20 /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db chown -R squid.squid /var/lib/ssl_db mkdir /etc/squid/ssl_cert/ chown -R squid.squid /etc/squid/ssl_cert/ cd /etc/squid/ssl_cert openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem echo "www.google.com" > /etc/squid/whitelist chmod 640 /etc/squid/whitelist chown root:squid /etc/squid/whitelist
/etc/squid/squid.conf:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 127.0.0.1/32 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl step1 at_step SslBump1 acl whitelist_ssl ssl::server_name "/etc/squid/whitelist" acl whitelist dstdomain "/etc/squid/whitelist" acl port_80 port 80 acl http proto http ssl_bump peek step1 ssl_bump splice whitelist_ssl ssl_bump terminate all !whitelist_ssl http_access deny http port_80 localnet !whitelist http_access allow localnet http_access deny all https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem http_port 3128 transparent coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
# Test it with:
iptables -m owner --uid-owner cm -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:3128 iptables -m owner --uid-owner cm -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 127.0.0.1:3127
# Closing notes and thoughts
Around this section here: http_access deny http port_80 localnet !whitelist http_access allow localnet http_access deny all
It looks a bit funny because we ‘allow localnet’ which typically allows our clients open access. However assessing:
ssl_bump terminate all !whitelist_ssl http_access deny http port_80 localnet !whitelist
rules first, you see that we filter out all sites other than the whitelist with an explicit ‘deny’ or ssl ‘terminate’.
Also trying to use a proxy-aware application with the above configuration will not work because the proxy is configured in transparent / intercept mode ONLY. This is likely due to not having a normal http_port directive, this is good for me as it’s minimizing the abuse avenues.
Also for a final, final step, you need to configure your edge (or local) firewall to do destination NAT’ing back to the two Squid ports.
The minimum firewall ports for a Windows domain controller and linux server
In order for a Linux (client) box to communicate with (and perform NTLM auth) a Windows domain controller through a restrictive firewall you would need the following ports opened at a minimum:
udp 53 tcp/udp 88 tcp/udp 135 tcp 139 tcp 389 tcp 445 tcp/udp 464
Add comments to IPTables firewall rules
Instead of just documenting the IPTables configuration file eg: /etc/sysconfig/iptables with comments (#’s) you can also input comments as part of the ruleset itself. So when you perform iptables -L -v -n you get the following output:
root@server070:[~]: iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 64M 4727M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 474 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 202K 27M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 16 880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 137M 38G ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 /* Syslog traffic */ 28 1664 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:514 /* Syslog traffic */ 41067 2050K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9997 /* Universal Forwarder traffic */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 /* Splunk SSL traffic */ 47 2564 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 /* Splunk web interface */ 14135 1313K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: ' 218K 21M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
All that you need to do use the following example in your configuration file:
root@server070:[~]: cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 9997 -m comment --comment "Universal Forwarder traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 8089 -m comment --comment "Splunk SSL traffic" -j ACCEPT -A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk web interface" -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Happy commenting!
Configure UTM 220 LCD panel under Linux
I had the task of rebuilding an Astaro UTM 220 with CentOS and the LCD panel looked so lifeless, So I decided to restore it to some version of functional! From my research I can see that the display is LCM-162 and utilises the lcd driver HD44780.
In a nut shell here is what I did:
- Download LCDproc (http://lcdproc.omnipotent.net/)
- Modify: lcdproc-0.5.6/server/drivers/hd44780-ext8bit.c
Change:
#define RS STRB #define RW LF #define EN1 INIT
To:
#define RS SEL #define RW INIT #define EN1 LF
- compile it with option: ‘./configure –enable-drivers=hd44780′
- make && make install
- Modify: /usr/local/etc/LCDd.conf
Change:
- Line 53: Driver=hd44780
- Line 502: ConnectionType=8bit
- Line 509: Device=/dev/parport0
- Line 544: Size=16×2
Test it:
LCDd -f -r 4 -c /usr/local/etc/LCDd.conf &
lcdproc -f -s localhost -p 13666 C M L
If it works its just a matter of copying: scripts/init-LCDd.rpm and scripts/init-lcdproc.rpm to /etc/init.d and configuring chkconfig properly.
Hopefully that helps.